Former systems engineer arrested on charges she accessed data in Firewall hack.

Share this story

A systems engineer identified in media reports as a former Amazon employee has been arrested on charges that she hacked into Capital One’s network and stole sensitive data for about 106 million people, according to an FBI court filing and a statement from the Virginia-based bank.

According to reporting by The New York Times and Bloomberg News citing company representatives, defendant Paige A. Thompson, 33, of Seattle was an employee of Amazon Web Services. FBI Special Agent Joel Martini wrote in a criminal complaint filed on Monday that a GitHub account, belonging to Thompson, contained evidence that earlier this year someone exploited a firewall vulnerability in Capital One’s network that allowed an attacker to execute a series of commands on the bank’s servers.

Capital One has confirmed the intrusion and said it affected about 100 million individuals in the US and 6 million people in Canada. Personal information taken included names, incomes, dates of birth, addresses, phone numbers, and email addresses. Social security numbers for 140,000 people were also obtained, and about 80,000 bank account numbers were accessed.

Social Insurance numbers for about 1 million Canadians were also obtained. No credit card numbers or login credentials were compromised. The data came from credit card applications filed from 2005 through early 2019; customer status data, such as credit scores, credit limits, balances, payment history, and contact information; and fragments of transaction data from a total of 23 days during 2016, 2017, and 2018. It's unlikely the stolen data was used in fraud or was widely disseminated, bank officials said.

“While I am grateful that the perpetrator has been caught, I am deeply sorry for what has happened,” Richard D. Fairbank, Capital One founder, chairman and CEO, said in a statement. “I sincerely apologize for the understandable worry this incident must be causing those affected, and I am committed to making it right.”

Cloud infiltration

One command executed in the firewall hack allowed the intruder to gain credentials for an administrator account known as "*****WAF-Role." This in turn enabled access to bank data stored under contract by a cloud computing company that went unnamed in court documents, but was identified as Amazon Web Services by the NYT and Bloomberg. Other commands allowed the attacker to enumerate Capital One folders stored on AWS and to copy their contents. IP addresses and other evidence ultimately indicated that Thompson was the person who exploited the vulnerability and posted the data to Github, Martini said.

Thompson allegedly used Tor and a VPN from IPredator in an attempt to cover her tracks. At the same time, Martini said that much of the evidence tying her to the intrusion came directly from things she posted to social media or put in direct messages. A June 26 Slack posting and another post the next day to an unnamed service, for instance, both referred to the WAF-Role account.

In response to a June 27 post, someone told her: “sketchy shit. don’t go to jail, plz.” Using the handle "erratic" she responded [sic throughout]:

wa wa wa wa, wa wa wa wa wa wa wawaaaaaaaaaaa. I’m like >ipredator > tor >s3 on all this shit .. i wanna get it off my server thats why Im archiving all of it. Its all encrypted. I just dont want it around though. I gotta find somewhere to store it. That infobloxcto one is interesting. They have > 500 docker containers.

Martini said that, on June 18, a Twitter user with the screen name "Erratic" sent direct messages to another user that read: “I’ve basically strapped myself with a bomb vest, fucking dropping capitol ones dox and admitting it. I wanna distribute those buckets i think first. There ssns... with full name and dob.”

Enlarge/ The Twitter profile of "Erratic," a persona federal authorities said belonged to defendant Thompson.

The unnamed receiver of those messages sent them to Capital One officials. Capital One officials also received an email dated July 17 from someone reporting that sensitive data was posted to Thompson’s Github account. “Let me know if you want help tracking them down,” the person wrote. It wasn’t immediately clear if the reports came from the same person or two different people. Other evidence tying Thompson to the hack included IP addresses, Martini said. Capital One confirmed the intrusion on July 19.

Thompson was arrested on Monday and is being detained pending a bail hearing scheduled for Thursday. She’s charged with a single count of computer fraud and faces a maximum penalty of five years in prison and a $250,000 fine. At a court hearing later in the day, according to Bloomberg News, Thompson “broke down and laid her head down on the defense table.”

I wonder how much of her 'hack' was purely down to knowledge of the cloud provider's internal systems and architecture and the credentials to access these systems. Perhaps this is a good example of having a solid process in place for when a contractor or employee leaves to ensure that whatever systems they used to have access to are 100% inaccessible to them after they leave...

The amount of stories I've heard from SysAdmins who jokingly try to access a former employers network with their old credentials only to be shocked they still have admin access is a scary and boggling thought.

Of course there is the other side of this story as to why the cloud provider needs to even access bank data to begin with.....

Although the court papers may not mention it, the Bloomberg article now notes the unnamed cloud provider is AWS roughly 100 times. I think anyone reading this article knows who a cloud worker in Seattle is most likely working for.

A GitHub account belonging to her showed that, earlier this year, someone exploited a firewall vulnerability in Capital One’s network that allowed an attacker to execute a series of commands on the bank’s servers.

Where's the defense-in-depth? If your system is set up so compromising one single device exposes your whole network, you should assume you've already been hacked.

I’m just going to be guilty of judging a book by its twitter cover and assume that when she comes down she’s prob going to regret her actions and loss of career. I also assume that this was the end of a long downward spiral.

is there a prize for accumulating the most years of free credit monitoring?

At this point I don’t need it. I’m monitoring my credit well enough with apps and by-myself. I’ll take the cash. At least I get 1/10000 of the PIA involved. Hell, give me travel miles or something that I can actually use.

(a) Whoever, in a circumstance described in subsection (c) of this section—

(7)knowingly transfers, possesses, or uses, without lawful authority, a means of identification of another person with the intent to commit, or to aid or abet, or in connection with, any unlawful activity that constitutes a violation of Federal law, or that constitutes a felony under any applicable State or local law;

Section C, which is key here, reads:

Quote:

(c) The circumstance referred to in subsection (a) of this section is that—(1) the identification document, authentication feature, or false identification document is or appears to be issued by or under the authority of the United States or a sponsoring entity of an event designated as a special event of national significance or the document-making implement is designed or suited for making such an identification document, authentication feature, or false identification document;

(2) the offense is an offense under subsection (a)(4) of this section; or

(3) either—

(A) the production, transfer, possession, or use prohibited by this section is in or affects interstate or foreign commerce, including the transfer of a document by electronic means; or

(B) the means of identification, identification document, false identification document, or document-making implement is transported in the mail in the course of the production, transfer, possession, or use prohibited by this section.

So unless they can prove her actions met those elements they can't nail her for identity theft. It's conceivable she could be charged under WA State law as well but that isn't generally bothered with.

Is it safe to assume yet that everyone's name, DOB, address, phone number, and email address have been compromised? You could take this data dump and the Equifax dump and a few others and have a directory of the entire U.S. population.

Although the court papers may not mention it, the Bloomberg article now notes the unnamed cloud provider is AWS roughly 100 times. I think anyone reading this article knows who a cloud worker in Seattle is most likely working for.

Well MS is in the area, with folks generally lumping Redmond into the Seattle sprawl. There are also offices for Google, Salesforce, etc. are in the area- all cloud providers, albeit other than GCloud (which is still struggling for relevance) its mostly SaaS stuff which I don't think is what people mean when they say Cloud Provider. Still, the S3 reference was a pretty good giveaway, with Bloomberg providing some more thorough journalistic verification

Can I point out that you’re outing a transgender woman’s identity in a rather public forum, just because the media is reporting she was arrested? Why the fuck do you think is this an OK thing to do? No sense of due process for the accused, given the severe consequences of what you’re doing?

It's not exactly like it's a secret, if you spend two seconds on their twitter account. Shockingly, not everyone is mortified to be trans, as you seem to assume. Not like any of this is relevant to the article or anything, though.